I agree that this is a good step to take in hardening the site. I would not recommend interfering directly with the files from WordPress for the exact reason your describe: updates will overwrite it.
Two options I would recommend:
- Use a hardening plug-in to help you do this
- Add a rule to .htaccess to prevent people from accessing the file
In the wp-admin folder add this to .htaccess:
<Files install.php>
Order Allow,Deny
Deny from all
</Files>
Related Posts:
- Should I remove install.php and install-helper.php?
- Securing a multi-user permission structure
- Is it good security advice to install wordpress in subdirectory but link to root?
- wp-config.php being written by attacker
- SSL Error: unable to get local issuer certificate
- When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site? [closed]
- When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site? [closed]
- Why does the URL http://a/%%30%30 crash Google Chrome?
- When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site?
- Can an attacker use inspect element harmfully?
- Where does Internet Explorer store saved passwords?
- Infected Files – what to do [closed]
- WordPress 4.7.1 REST API still exposing users
- Should I escape wordpress functions like the_title, the_excerpt, the_content
- Why does WordPress need my private ssh key to update?
- When to use esc_html and when to use sanitize_text_field?
- Why does WordPress have more than one salt?
- What is the ideal setup to address security concerns?
- Will there be security updates for 3.1 once 3.2 is released?
- WordPress it’s cleaning a custom query_var to avoid sql injections?
- Can someone explain the use cases of esc_html?
- Tips for finding SPAM links injected into the_content
- Close a wordpress blog – keep site as it is but prevent hacks
- Is WordPress vulnerable to the httpoxy?
- Prevent setup-config.php page from appearing when host blocks database
- wp.getUsersBlogs XMLRPC Brute Force Attack/Vulnerability
- WordPress and Security
- Is there a security risk giving someone temporary access to my blog’s code?
- Is /wp-login.php?redirect_to[] exploitable?
- How to properly sanitize/secure a WP Query coming from the front end
- brute force attack even though it is limited by IP
- What should I do about hacked server?
- How do I authenticate WP users from a chrome extension?
- Website is being flooded [closed]
- What is the most secure way to set up the MySQL user in WPMU?
- Is there any point setting the keys and salts in wp-config.php?
- Auth cookie value security risk?
- Where to store OAuth 2.0 client id and secret?
- Security – Shortcode injection attack
- Registration Plugin – Recaptcha integration
- How can I safely use $_SERVER[‘REQUEST_URI’] to avoid XSS?
- How to combat flooding admin-ajax.php?
- Dangers to allowing Access-Control-Allow-Origin: * for Feeds only?
- Moving away from MD5: Where to declare the custom global $wp_hasher?
- Would it be dangerous to send all the wp_options to javascript file?
- Changing Table Prefixes – once done, am I good to go going forward?
- Should I disable directory listing for wp-includes?
- Safety side of storing emoji into database
- Verifying that I have fully removed a WordPress hack?
- How can I safely hide the fact that my website runs on WordPress? [closed]
- How can I display nickname instead username in links
- My WordPress Websites are always under attack
- Is there value in using a wp_nonce for POST requests?
- Using an Encryption class in a WordPress Plugin
- How to hide easy access to my website temporarily?
- Can I Remove xmlrpc.php completely?
- Config file with no Keys..?
- How much should I worry about these messages?
- Security concerns with external links
- Uploading .webm format on WordPress results in security guidline breach and fail
- Any any insecure http:// URLs left in wordpress?
- White screen of death on admin pages after moving wp-config up two levels for security
- .htaccess password protection bypassed
- Session Cookie security questions
- Storing FTP details in wp-config.php
- Can a WordPress administrator see other users’ passwords?
- Why my plugins are updating automatically?
- Spam injected in w3 total cache page cache [closed]
- Privilege escalation bugs in 2.9?
- Content-Security-Policy blocks WordPress check boxes from being activated
- How to distinguish between a hack and an encoding error?
- Prevent editor from adding script or form
- How to change location of wp-config.php to folder or 2 folders up?
- Finding where a snippet of code is coming from
- wordpress admin security
- Remove hacked code – out of ideas! [closed]
- Why do people use “admin” username by default? [closed]
- WordPress Database Re-installed (Hacked)
- WordPress Security tools
- Robots.txt file not updating
- Security: Critical backend outside of wordpress
- Advice On How to Backup WordPress
- How can I stop other plugins from using my class’ sensitive methods?
- What are WordPress Current Security Issues in 2017?
- wp-config.php moved above root results in no plugin updates
- Password-protect feed and make it usable in major aggregators
- Should I change the default file and folder permissions?
- WordPress exploited theme is causing high io load on server
- How to rewrite rules for WP-security in Nginx?
- how to find the way they hacked my WP site
- How to set custom validation for WordPress Passwords?
- Is it a bad idea to CHMOD 777 all the files on your site?
- How to stop repeated hack on header.php of custom theme? [closed]
- is this code properly secured
- nginx + wordpress: Best practices for configuring it to be secure, reliable, and fast? [closed]
- How to get real password (before encrypt) when register a user?
- Move data from wp-config to another file
- Heartbleed: What is it and what are options to mitigate it?
- OpenVPN vs. IPsec – Pros and cons, what to use?
- How to test if my server is vulnerable to the ShellShock bug?